CVE-2025-34300 (CVSS 10): Critical RCE Flaw in Lighthouse Studio’s CGI Scripts Threatens Survey Servers Worldwide
Do Son 
A severe remote code execution (RCE) vulnerability has been discovered in Lighthouse Studio, a popular web-based survey platform developed by Sawtooth Software. The flaw—tracked as CVE-2025-34300 and given a CVSSv4 score of 10—affects the software’s Perl CGI scripts and enables unauthenticated attackers to execute arbitrary code on web servers that host user-facing surveys.
This flaw “allows any user with the survey link to achieve remote code execution on any web server hosting these scripts,” Searchlight Cyber explained in its in-depth vulnerability analysis.
Lighthouse Studio operates via a two-part system: a desktop application used to create surveys, and a server-side component—Perl CGI scripts—deployed on a company’s website to host those surveys. While the desktop app is not publicly accessible, the server-side CGI scripts often are.
“A single company might have 10s or even 100s of copies of the scripts on their webserver,” the report notes, emphasizing the potentially massive attack surface created by reused and unpatched script copies.
The vulnerability lies in a primitive server-side templating engine used in the ciwweb.pl script. This templating engine allows survey designers to embed dynamic content via a syntax like [%%]. However, the engine dangerously uses Perl’s eval() function to interpret and execute the content between these tags—without proper sanitization.
“Anything between [% … %] will be passed to _foq and evaluated as Perl code,” the report explains.
The exploitation is trivial. An attacker can append a specially crafted parameter to a survey URL, such as:
This ultimately gets passed to eval(‘7*7’), resulting in code execution on the server. Even worse, attackers can pass system commands inside backticks to run arbitrary shell commands:
While older versions (like 9.15.x) attempted to block this with naïve regex filters—adding a space between [ and %—those protections are easily circumvented. The researchers passed the same query parameter twice, which caused the vulnerable script to bypass sanitization logic due to how Perl handles arrays.
“Substitutions get completely ignored! Thus we can bypass this protection simply by passing the query param twice… [and it] works on targets from every version,” the report states.
The researchers were able to replicate the exploit across almost all known deployments of the CGI scripts. This includes environments where the same vulnerable scripts have been copied dozens of times across internal directories, a practice that increases the risk of missing critical updates.
Adding to the concern, these scripts lack an auto-update mechanism, meaning patching must be done manually, one copy at a time.
Searchlight Cyber responsibly disclosed the issue to Sawtooth Software on April 9th, 2025. A patched version, 9.16.14, has since been released.
Organizations running Lighthouse Studio surveys—especially those exposing the cgi-bin/ path to the internet—are urged to update immediately and conduct a full inventory to eliminate all legacy copies of the vulnerable scripts.
Related Posts:
- Smishing Triad: eCrime Group Targets 121+ Countries with Advanced Smishing
- CVE-2025-40909: Perl Threads Vulnerability Exposes File Operation Race Condition
- CVE-2024-56406: Heap Overflow Vulnerability in Perl Threatens Denial of Service and Potential Code Execution
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
